ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting cortex and telegraf

To: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
From: Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>
Date: Fri, 22 Apr 2022 13:11:16 -0400
Cc: emilia.torino@xxxxxxxxxxxxx, ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
In-reply-to: <YmLeRFQjvOzu0aVV@pollux> (Athos Ribeiro's message of "Fri, 22 Apr 2022 13:56:36 -0300")
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

On Friday, April 22 2022, Athos Ribeiro wrote:

> On Thu, Apr 21, 2022 at 05:01:49AM +0000, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
>>New CVEs affecting packages used to build upstream based rocks have been
>>created in the Ubuntu CVE tracker:
>>
>>* https://github.com/gogo/protobuf:
>>* https://github.com/hashicorp/consul: CVE-2022-29153
>>* https://github.com/prometheus/prometheus:
>>
>>Please review your rock to understand if it is affected by these CVEs.
>>
>>Thank you for your rock and for attending to this matter.
>>
>>References:
>>https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-29153
>>
>>
>>
>> -- 
>>Mailing list: https://launchpad.net/~ubuntu-docker-images
>>Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>Unsubscribe : https://launchpad.net/~ubuntu-docker-images
>>More help   : https://help.launchpad.net/ListHelp
>
> The new telegraf 22.04 ROCK does not ship the affected version of
> consul.
>
> While the cortex ROCK does use a consul version that is affected by this
> CVE, it only ships the consul/api client package, which is not affected
> by the CVE.
>
> No actions should be needed from our end here.

Thanks for the checking this, Athos.

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

References

CVEs potentially affecting cortex and telegraf
From: security-team-toolbox-bot, 2022-04-21
Re: CVEs potentially affecting cortex and telegraf
From: Athos Ribeiro, 2022-04-22